[wp-hackers] Limit Login Attempts
William P. Davis
will.davis at gmail.com
Tue Apr 16 16:50:54 UTC 2013
Wasn't Jorbin working on something a while back? Did that ever make it into core?
Sent from my BlackBerry
-----Original Message-----
From: Otto <otto at ottodestruct.com>
Sender: wp-hackers-bounces at lists.automattic.com
Date: Tue, 16 Apr 2013 11:48:48
To: <wp-hackers at lists.automattic.com>
Reply-To: wp-hackers at lists.automattic.com
Subject: Re: [wp-hackers] Limit Login Attempts
On Tue, Apr 16, 2013 at 10:46 AM, Marko Heijnen <mailing at markoheijnen.nl> wrote:
> ... checking the password strength ...
Determining password strength is a surprisingly difficult thing to do
properly. The current password strength indicator in core is kinda
lame. It's okay for me to say that, since I wrote it. :) It's just a
basic bit-strength check. Sort of the lowest end form of check. Not
perfect, but better than what we had before.
The underlying problem is that modern brute force attacks are built
based on the large lists of passwords that have been released over the
last few years, and so you can do much better than random with them by
using dictionary based attacks, since it's now know that most people
use dictionary based passwords.
Dropbox made a library a year ago to do better password checking (
https://tech.dropbox.com/2012/04/zxcvbn-realistic-password-strength-estimation/
) and I implemented it as a plugin yesterday (
http://wordpress.org/extend/plugins/zxcvbn/ ), but if you'll notice,
this thing has 700k of dictionary in it. Way too big for core.
I don't have a solution, just a few references to help clarify the problems.
-Otto
_______________________________________________
wp-hackers mailing list
wp-hackers at lists.automattic.com
http://lists.automattic.com/mailman/listinfo/wp-hackers
More information about the wp-hackers
mailing list